# Beware that the quotes around the values are mandatory

# GENERAL CONFIGURATION
### url to the database server:
{% if env == 'staging' %}
SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}.stg/{{ fedoauth_db_name }}"
{% else %}
SQLALCHEMY_DATABASE_URI="postgresql://{{ fedoauth_db_user }}:{{ fedoauth_db_pass }}@{{ fedoauth_db_host }}/{{ fedoauth_db_name }}"
{% endif %}

# This is the OpenID endpoint url, at which the server is available
{% if env == 'staging' %}
WEBSITE_ROOT = 'https://id.stg/fedoraproject.org'
COOKIE_DOMAIN = 'id.stg.fedoraproject.org'
OPENID_IDENTITY_URL = 'http://%(username)s.id.stg.fedoraproject.org/'
PERSONA_DOMAIN = 'stg.fedoraproject.org'
PERSONA_ISSUER = 'id.stg.fedoraproject.org'
PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.stg.key'
{% else %}
WEBSITE_ROOT = 'https://id.fedoraproject.org'
COOKIE_DOMAIN = 'id.fedoraproject.org'
OPENID_IDENTITY_URL = 'http://%(username)s.id.fedoraproject.org/'
PERSONA_DOMAIN = 'fedoraproject.org'
PERSONA_ISSUER = 'id.fedoraproject.org'
PERSONA_PRIVATE_KEY_PATH = '/etc/fedoauth/persona.key'
{% endif %}
# This needs to be disabled because we use reverse proxies
COOKIE_CHECK_REMOTE_ADDR = False
COOKIE_SECURE = True

# Modules to use
AUTH_MODULE='fedoauth.auth.fas.Auth_FAS'

# FAS PROVIDER CONFIGURATION
FAS_USER_AGENT = 'FAS-OpenID'
FAS_BASE_URL='https://admin.fedoraproject.org/accounts/'
FAS_CHECK_CERT=True
FAS_HTTPS_REQUIRED=True
FAS_HANDLE_GROUPS_MAGIC_VALUE=True

# Enable a filter to make this only available to a specific list of users
FAS_AVAILABLE_FILTER = False
FAS_AVAILABLE_TO = []

# PERSONA CONFIGURATION
# This is the domain for which we are willing to sign
PERSONA_PRIVATE_KEY_PASSPHRASE = '{{ fedoauth_persona_key_passphrase }}'

# OPENID CONFIGURATION
# This is the OpenID url provided to users. Add %(username)s where the username should be entered
# A list of trust roots for which the user will not need to confirm again
OPENID_TRUSTED_ROOTS = ['http://jenkins.cloud.fedoraproject.org/securityRealm/finishLogin',
                        'https://ask.fedoraproject.org/',
                        'https://fedorahosted.org/',
                        'https://badges.fedoraproject.org',
                        'https://apps.fedoraproject.org/tagger/',
                        'https://apps.fedoraproject.org/nuancier/',
                        'https://apps.fedoraproject.org/datagrepper/',
                        'https://apps.fedoraproject.org/calendar/',
                        'http://apps.fedoraproject.org/notifications/',
                        'http://copr.fedoraproject.org/',
                        'http://copr-fe.cloud.fedoraproject.org/']
OPENID_NON_TRUSTED_ROOTS = []
### The maximum time after which the user must re-authenticate for OpenID in minutes (use 0 for no limit)
OPENID_MAX_AUTH_TIME = 120
